fail2ban configuration in Fedora/RHEL

The configuration files in Fedora20 for fail2ban are located in the /etc directory under /etc/fail2ban/
with further sub-directories for actions, filters and jails.

drwxr-xr-x.   2 root 4.0K May 16  2014 action.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 fail2ban.d
drwxr-xr-x.   2 root 4.0K May 16  2014 filter.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 jail.d
-rw-r--r--.   1 root 2.1K Mar 14  2014 fail2ban.conf
-rw-r--r--.   1 root   33 Dec 10 00:16 fail2ban.local
-rw-r--r--.   1 root  14K Dec 10 01:06 jail.conf
-rw-r--r--.   1 root  16K Dec 10 00:54 jail.conf.rpmnew
-rw-r--r--.   1 root  805 Dec 10 07:48 jail.local
-rw-r--r--.   1 root 1.5K Mar 14  2014 paths-common.conf
-rw-r--r--.   1 root  606 Mar 14  2014 paths-debian.conf
-rw-r--r--.   1 root  649 Mar 14  2014 paths-fedora.conf
-rw-r--r--.   1 root 1.2K Mar 14  2014 paths-freebsd.conf
-rw-r--r--.   1 root  290 Mar 14  2014 paths-osx.conf

NOTE: In order to preserve your edits and customizations you should create separate *.local files, as the normal *.conf files (may) get overwritten during an upgrade. The *.local files take precedence over the *.conf files as the former are parsed after the latter. In *.local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding *.conf file which is parsed first.

sendmail Notifications

If you’d like to be notified every time fail2ban blocks an ipaddress from ssh access, for example, edit/create the /etc/fail2ban/jail.local file and append the following lines:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

Since the [ssh-iptables] section wasn’t included in the jail.conf file by default (on my system, at least), I’ve added the entire section to the jail.local file; whereas, if it had been, I would’ve only added the lines I’d want to change.
All entries are separated by sections/headers enclosed in square brackets; the lines that follow then are applicable for that section until the next [section name].

enabled = true
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way. Enable only those jails relevant to your setup in your .local or jail.d/*.conf files.

  • true: jail will be enabled and log files will get monitored for changes
  • false: jail is not enabled

filter = sshd

refers to the .conf file in /etc/fail2ban/filter.d/, which contains the rules (regex expressions, etc) that fail2ban uses to find matches in the log files.

action =

Each jail can be configured with only a single filter, but may have multiple actions. For those name items (e.g. action) that can accept multiple values (e.g. iptables, sendmail), specify the values separated by spaces, or in separate lines space-indented at the beginning of the line before the second value; therefore, mind the tabs at the beginning of the “sendmail…” line. 

action = iptables[...]
         sendmail-whois[..]

By default, the name of an action is the action filename in /etc/fail2ban/action.d/, and in the case of Python actions, the “.py” file extension is stripped. The action option refers to the steps that fail2ban will take to e.g. ban an IP address matching the options in the specified filter.

iptables[name=SSH, port=ssh, protocol=tcp]

name=, port=, and protocol= are the options in the /etc/fail2ban/action.d/iptables.conf file that you’d like to change or specify. Action files have two sections, Definition and Init. The “Init” section enables action-specific settings which can be overridden for a particular jail as options of the action’s specification in that jail.


firewalld

With the recent versions of Fedora and RHEL the default firewall program is firewalld. The Fedora Wiki has some useful configuration options listed for fail2ban with firewalld, such as changing the default default banaction to firewallcmd-ipset. Simply add the following to the beginning of the DEFAULT section in your jail.local file: 

banaction = firewallcmd-ipset
There are also configuration files in the action.d subdirectory for firewallcmd-ipset.conf and firewallcmd-new.conf. Additional info can be viewed and trucked in this bug-report.

Popular posts from this blog

Centos 7 pulseaudio

Image
Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see: https://gist.github.com/ILMostro/1909a50e1858d0ee7e10 To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter .  These packages are available from the " nux-desktop " repository available at at http://li.nux.ro/repos.html . nux-desktop My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at yo
Read more

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483 In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force
Read more

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib. The code was originally based on pam_cracklib module, and the module is backwards compatible with its options. The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf . The possible options in the file are: difok Number of characters in the new password that must not be present in the old password. (default 5) minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9) dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the
Read more